Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Site-2-Site to Meraki MX65W

JackInSights
Just browsing
‎Aug 23 2019 3:49 AM
‎Aug 23 2019 3:49 AM

Azure Site-2-Site to Meraki MX65W

I have created a policy based S2S VPN through to Meraki. I manages to connect for about a minute before the connection is dropped by Azure side. The VPN health pages from both Azure and Meraki confirm the connection is connected but I am unable to pass data through the VPN.

 

Meraki Logs:

Aug 22 16:02:28		Non-Meraki / Client VPN negotiation	msg: IPsec-SA expired: ESP/Tunnel (IP ADDRESS REMOVED FOR FORUM POST)[500]->(IP ADDRESS REMOVED FOR FORUM POST)[500] spi=20513400(0x1390278)
Aug 22 16:02:28		Non-Meraki / Client VPN negotiation	msg: (IP ADDRESS REMOVED FOR FORUM POST) give up to get IPsec-SA due to time up to wait.
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Tunnel (IP ADDRESS REMOVED FOR FORUM POST)[500]->(IP ADDRESS REMOVED FOR FORUM POST)[500] spi=1719290698(0x667a4b4a)
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Tunnel (IP ADDRESS REMOVED FOR FORUM POST)[500]->(IP ADDRESS REMOVED FOR FORUM POST)[500] spi=246369293(0xeaf4c0d)
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: not matched
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: ISAKMP-SA established (IP ADDRESS REMOVED FOR FORUM POST)[500]-(IP ADDRESS REMOVED FOR FORUM POST)[500] spi:2fc20dbf268e2691:9f77ad7ee133a1b9
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

 

Settings:

! [2] IPsec/IKE parameters
!
!   > IKE version:             IKEv2
!     + Encryption algorithm:  aes-cbc-256
!     + Integrityalgorithm:    sha1
!     + Diffie-Hellman group:  2
!     + SA lifetime (seconds): 3600
!     + Pre-shared key:        REMOVED
!     + UsePolicyBasedTS:      False
!
!   > IPsec
!     + Encryption algorithm:  esp-gcm 256
!     + Integrity algorithm:   
!     + PFS Group:             none
!     + SA lifetime (seconds): 3600

This matches up with the Azure preset in the Meraki S2S setup page. 

 

We have had the exact same setup completed with a Meraki MX64 for another client which works fine. We have compared line by line that config to this new one but unable to find any differences bar the usual IP addresses and PSK. 

0 Kudos
Subscribe
3 Replies 3
Happiman
Building a reputation
‎Aug 23 2019 9:35 AM
‎Aug 23 2019 9:35 AM

@JackInSights 

 

Have you requested to turn on IKEv2 on your network?

 

"Please note that IKEv2 is only supported on MX Security Appliances that are running firmware version 15.12 or higher. This version of IKE must also be enabled by Cisco Meraki support in order to function."]

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 24 2019 1:57 AM
‎Aug 24 2019 1:57 AM

It will probably be easier to change to use IKEv1 in Azure.

0 Kudos
Subscribe
In response to PhilipDAth
JackInSights
Just browsing
‎Aug 24 2019 2:08 AM
‎Aug 24 2019 2:08 AM

It is currently setup like this at the moment. Policy-based VNG but having no luck.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.